Google has re-architected the Mediaserver component in Android 7.0 Nougat and included other security enhancements in the new platform release.
Android Nougat was released on Aug. 22, but Google decided to provide detail on the security enhancements on Sept. 6. In addition to the re-architected Mediaserver, other ehnacements include a new Direct Boot mode, hardened media stack, strict enforcement of verified boot with error correction, and a reduced attack surface and better memory protection via updates to the Linux kernel.
Courtesy of the newly introduced Direct Boot, users no longer need to enter their PIN/pattern/password to have access to the phone’s main features, such as the phone app and alarm clock during the boot process. Android 7.0 also comes with file-based encryption, designed to deliver an improved user experience, as the system storage area and each user profile storage areas are encrypted separately.
“Unlike with full-disk encryption, where all data was encrypted as a single unit, per-profile-based encryption enables the system to reboot normally into a functional state using just device keys. Essential apps can opt-in to run in a limited state after reboot, and when you enter your lock screen credential, these apps then get access your user data to provide full functionality,” Xiaowen Xin, Android Security Team, explains.
File-based encryption, Google says, can better isolate and protect individual users and profiles on the device. A unique key is used to encrypt each profile and only the user’s PIN or password can unlock that profile, Google explains. The new platform also requires that new capable Android devices pack trusted hardware, such as the ARM TrustZone, which is used to store security keys.
After Stagefright made headlines last year, Google has been patching Critical vulnerabilities in Android’s Mediaserver almost every month, and the company decided to harden and re-architect the component to improve security. For that, the company has introduced integer overflow sanitization to “prevent an entire class of vulnerabilities, which comprise the majority of reported libstagefright bugs.” Now, the process is stopped as soon as an integer overflow is detected.
Additionally, the media stack has been modularized, “to put different components into individual sandboxes and tightened the privileges of each sandbox to have the minimum privileges required to perform its job.” Due to this containment technique, attackers able to compromise parts of the stack will have access to significantly fewer permissions and significantly reduced exposed kernel attack surface.
According to Xin, numerous other protections were also added to the platform, including:
• Verified Boot: Verified Boot is now strictly enforced to prevent compromised devices from booting; it supports error correction to improve reliability against non-malicious data corruption.
• SELinux: Updated SELinux configuration and increased Seccomp coverage further locks down the application sandbox and reduces attack surface. Library load order randomization and improved ASLR: Increased randomness makes some code-reuse attacks less reliable.
• Kernel hardening: Added additional memory protection for newer kernels by marking portions of kernel memory as read-only, restricting kernel access to userspace addresses, and further reducing the existing attack surface.
• APK signature scheme v2: Introduced a whole-file signature scheme that improves verification speed and strengthens integrity guarantees.
In the new Android release, apps are protected from accidental regressions to cleartext traffic, and trusted certificate authorities are being handled in a different manner. Last year, Google launched an Android security rewards program, and decided to increase the maximum payouts that developers can receive for critical vulnerabilities to up to $50,000 for flaws in TrustZone or Verified Boot.
Specifically, applications targeting API Level 24+ will no longer trust by default user-installed certificate authorities and those installed through Device Admin APIs. Moreover, “all new Android devices must ship with the same trusted CA store,” Xin notes.
In Android 7.0, apps looking to share data with other apps now must explicitly opt-in. Moreover, developers can more easily configure network security policy through a declarative configuration file, which includes blocking cleartext traffic, configuring the set of trusted CAs and certificates, and setting up a separate debug con
figuration.
App permissions and capabilities were also refined to increase protection. For example, Google has further restricted and removed access to persistent device identifiers such as MAC addresses, while user interface overlays can no longer be displayed on top of permissions dialogs, which should prevent apps from performing “clickjacking” attacks.
“We’ve reduced the power of device admin applications so they can no longer change your lockscreen if you have a lockscreen set, and device admin will no longer be notified of impending disable via onDisableRequested(). These were tactics used by some ransomware to gain control of a device,” Xin explains.
